I suspect that at some point in the past, a user without permission to submit a form could actually access the full form and fill in fields before being presented with a message that they had no permission to submit the form. The current solution (that they don't get to view the form fields) is certainly a better in terms of UX, but the node/add/webform "help text" for these settings is less clear (I'm assuming it's outdated), since it currently indicates only that users of the selected roles will be allowed to submit the form. I think this text (and related texts, elsewhere) could better match the error message a user without the correct role would see (i.e. 'You do not have permission to view this form.')

The goal of the attached patch is to better indicate, in the admin (create webform) interface the result of these permissions, especially since (for many use cases) the result of using these permissions is adequate without need for any additional access control modules.

Note: This patch was created against the 7.x-3.9 version as it did not seem there was a "dev" version available for Git checkout, but I think it should be back-ported to the 6.x branch, too.

CommentFileSizeAuthor
#3 webform_access_submit_UI_fix-v2.patch3.36 KBlomo
webform_access_submit_UI_fix.patch3.67 KBlomo

Comments

quicksketch’s picture

quicksketch
he/him
commented

Thanks these are good suggestions. You're quite right that we used to always show the form, even if the user couldn't actually submit it. Then we later removed the form entirely if the user did not have access to submit it.

All of these changes seem good, though this bit a bit overly verbose:

It does not prevent a user from seeing the webform node title and body fields, but will prevent them from seeing the actual form fields and wasting time filling them in. If they need to log in to submit the form, they will see a message telling them so. If they are logged in and do not have the correct role, they will see a message that they do not have permission to view the form.

Sometimes less is more when it comes to help text.

lomo’s picture

lomo commented

Hi, Nate,

You're right. It is a bit too verbose. Trim as you please... or perhaps:
"Users who don't have the checked privileges will only see the form Title and Body fields; the actual form fields will not be visible."

I included more info to try to clarify the behavior that site admins should expect to see when testing the form. But I agree, too much text and users might not read it. ;-) (The reason I included so much detail was actually to help them determine whether they need another "access module" or whether the "default behavior" would satisfy their requirements.)

I'm not in front of the computer with the original patch, but will make this edit and re-submit (a bit later today).

Lowell

lomo’s picture

lomo commented
StatusFileSize
new webform_access_submit_UI_fix-v2.patch3.36 KB

Apologies for the delay. Attached is a patch which should work and makes that paragraph much more succinct (as above).

quicksketch’s picture

quicksketch
he/him
commented
Status: Needs review » Needs work

Okay continuing to nitpick (but hey, that's what help text is all about):

-    '#description' => t('By default, the configuration form for each webform allows the administrator to choose which roles may submit the form. You may want to allow users to always submit the form if you are using a separate node access module to control access to webform nodes themselves.'),
+    '#description' => t('By default, the configuration form for each webform allows the administrator to choose which roles may access and submit the form.'),

This change leaves no help text available that is actually helpful. I'd prefer to leave it as-is.

-    '#title' => t('Submission access'),
+    '#title' => t('View and submission access'),

What if we just called this "Form access"?

-    '#description' => t('These permissions affect which roles can submit this webform. It does not prevent access to the webform page. If needing to prevent access to the webform page entirely, use a content access module such as <a href="http://drupal.org/project/taxonomy_access">Taxonomy Access</a> or <a href="http://drupal.org/project/node_privacy_byrole">Node Privacy by Role</a>.'),
+    '#description' => t('Users who do not have the checked privileges will only see the form Title and Body fields; the actual form fields will not be visible. If needing to prevent access to the webform page entirely, use a content access module such as <a href="http://drupal.org/project/taxonomy_access">Taxonomy Access</a> or <a href="http://drupal.org/project/node_privacy_byrole">Node Privacy by Role</a>.'),

The new help text is not accurate. Not all nodes have body fields, and you can use CCK or Field module to add additional fields to the node type.

quicksketch’s picture

quicksketch
he/him
commented
Category: Bug report » Task
Issue summary: View changes
Status: Needs work » Closed (won't fix)

After reading over this patch again, I'm not sure that the new text is any better than the existing text. I'd prefer to leave this as-is, sparing translators the rewording of everything.